Skip to content
Control Stack logo Control Stack
ISM-2067 ASD Information Security Manual (ISM)

Ensure Single Logout for Single Sign-On Web Applications

Web apps with Single Sign-On should also log users out from all connected services.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceAccess controlIdentity & access management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for software development

Section

Web application development

Topic

Secure Web Application Design and Development
Official control statement
Web applications that support Single Sign On equally support Single Logout.

Source: ASD Information Security Manual (ISM)

Plain language

When you log out of a system that uses Single Sign-On (SSO), this control ensures you are automatically logged out of all related services, not just the one you're leaving. This is important because if you forget to log out from multiple places, someone else might gain unauthorized access to your accounts, risking your company's sensitive information.

Why it matters

Without Single Logout in SSO, ending a session in one app may not terminate sessions in other linked apps, enabling unauthorised access to organisational data.

Operational notes

Verify SSO Single Logout ends IdP and all relying-party sessions; test browser/back-button and multi-tab scenarios after changes to SSO or app integrations.

Implementation tips

  • The IT team should ensure that the Single Sign-On system is configured to support Single Logout. This can be done by checking settings in the SSO software that enable logout actions to extend across all connected services.
  • System administrators should regularly test the Single Logout process to confirm it works as expected. They can simulate user actions to log out from one application and verify that it successfully ends sessions on all integrated applications.
  • Security officers should inform employees about the importance of using Single Logout. This can be included in regular cybersecurity training sessions to raise awareness of secure login and logout practices.
  • HR and IT should collaborate to update new employee onboarding processes. Include specific guidance on how to use SSO and the importance of completing logout actions to protect company data.
  • The IT support team should create easy-to-follow guides for employees, explaining how to use Single Logout. This can include step-by-step instructions with screenshots or short video tutorials, ensuring everyone follows the same method.

Audit / evidence tips

  • Ask: the configuration settings of the Single Sign-On system

    Good: shows Single Logout is consistently applied for every connected application

  • Good: will include timestamps indicating simultaneous logout from all systems

  • Ask: documentation of SSO testing procedures

    Good: will provide dates and outcomes of these tests, verifying that Single Logout works as intended

  • Good: includes training completion records from all relevant staff members

  • Ask: incident reports involving user sessions

    Good: would be an absence of such incidents, or records showing that any found issues were quickly addressed

Cross-framework mappings

How ISM-2067 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Depends on (1)
Annex A 8.26 ISM-2067 requires web applications that support Single Sign-On (SSO) to equally support Single Logout (SLO) to ensure that a user’s logou...

Mapping detail

Mapping

Direction

Controls